Executive Summary

CVE-2026-31897 is a low-severity out-of-bounds read vulnerability in the FreeRDP library, specifically in the function freerdp_bitmap_decompress_planar. The issue occurs when the SrcSize parameter passed to this function is zero. The function dereferences the first byte of the source data buffer without verifying that SrcSize is at least 1, leading to a read one byte past the end of the buffer.

This happens because the function reads from the source data pointer unconditionally, even when the size is zero, causing it to access memory beyond the allocated buffer. The vulnerability can be triggered by a malicious server sending a crafted Remote Desktop Protocol (RDP) command with a zero-length data buffer.

The issue was fixed in FreeRDP version 3.24.0 by adding an input validation check to ensure that SrcSize is at least 1 before dereferencing the source buffer.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to two main impacts:

• Information Disclosure: The out-of-bounds read leaks one byte of heap memory past the allocated buffer, potentially exposing sensitive data.
• Denial of Service: The program may crash if the out-of-bounds read accesses an unmapped memory page, causing instability or service interruption.

The vulnerability requires no privileges but does require user interaction, meaning a user must connect to a malicious RDP server that sends the crafted command.

Overall, the severity is low, with a CVSS base score of 0.0, indicating limited impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs in the FreeRDP client when processing a crafted RDP Surface Command with a length of zero but a non-NULL data pointer, causing an out-of-bounds read in the planar bitmap decompression function.

Detection can focus on monitoring RDP traffic for suspicious Surface Commands with zero length fields or unusual planar bitmap decompression errors in FreeRDP logs.

Since the vulnerability is triggered by receiving a crafted RDP command, network detection could involve inspecting RDP traffic for Surface Commands where the length field is zero.

There are no specific commands provided in the resources to detect this vulnerability directly on a system or network.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade FreeRDP to version 3.24.0 or later, where the vulnerability is fixed by adding a check to ensure the source size is at least 1 before dereferencing the source buffer.

If upgrading immediately is not possible, consider restricting or monitoring RDP traffic to prevent receiving malicious Surface Commands with zero length.

Additionally, applying network-level protections such as firewalls or intrusion detection systems that can detect or block malformed RDP packets may help reduce exposure.

Useful 0 Not Useful 0